The branch, master has been updated via d89bbe9 Fix bug #8474 - SMB2 create doesn't cope with an Apple client using NULL blob in create via e68ebe6 Fix bug #8473 - smb2_find uses a hard coded max reply size of 0x10000 instead of smb2_max_trans. from 60d91f2 s3-libnet: allow to use default krb5 ccache in libnet_Join/libnet_Unjoin.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit d89bbe9b0a989b8b5b1ecbd43c063a388e122aaf Author: Jeremy Allison <j...@samba.org> Date: Wed Sep 21 11:40:01 2011 -0700 Fix bug #8474 - SMB2 create doesn't cope with an Apple client using NULL blob in create Cope with zero length data_offset and data_length values. Autobuild-User: Jeremy Allison <j...@samba.org> Autobuild-Date: Wed Sep 21 22:12:40 CEST 2011 on sn-devel-104 commit e68ebe600d9349e16e83aeb8e6ae8647c117d098 Author: Jeremy Allison <j...@samba.org> Date: Wed Sep 21 11:30:06 2011 -0700 Fix bug #8473 - smb2_find uses a hard coded max reply size of 0x10000 instead of smb2_max_trans. Use lp_smb2_max_trans() instead of 0x10000. ----------------------------------------------------------------------- Summary of changes: libcli/smb/smb2_create_blob.c | 10 +++++++--- source3/smbd/smb2_find.c | 2 +- 2 files changed, 8 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/smb/smb2_create_blob.c b/libcli/smb/smb2_create_blob.c index 444dc84..b44f28a 100644 --- a/libcli/smb/smb2_create_blob.c +++ b/libcli/smb/smb2_create_blob.c @@ -63,9 +63,10 @@ NTSTATUS smb2_create_blob_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffer, name_offset > remaining || name_length != 4 || /* windows enforces this */ name_offset + name_length > remaining || - data_offset < name_offset + name_length || - data_offset > remaining || - data_offset + (uint64_t)data_length > remaining) { + (data_offset && (data_offset < name_offset + name_length)) || + (data_offset && (data_offset > remaining)) || + (data_offset && data_length && + (data_offset + (uint64_t)data_length > remaining))) { return NT_STATUS_INVALID_PARAMETER; } @@ -88,6 +89,9 @@ NTSTATUS smb2_create_blob_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffer, data += next; if (remaining < 16) { + DEBUG(0,("smb2_create_blob_parse: remaining1 = %d, next = %d\n", + (int)remaining, + (int)next)); return NT_STATUS_INVALID_PARAMETER; } } diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c index 6c68810..509b9d6 100644 --- a/source3/smbd/smb2_find.c +++ b/source3/smbd/smb2_find.c @@ -281,7 +281,7 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx, return tevent_req_post(req, ev); } - if (in_output_buffer_length > 0x10000) { + if (in_output_buffer_length > lp_smb2_max_trans()) { tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); return tevent_req_post(req, ev); } -- Samba Shared Repository